Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,737,563 Members 45,288 Now Online
XDA Developers Android and Mobile Development Forum

Goal: S-off HOX (TEGRA3)

Tip us?
 
TripNRaVeR
Old
(Last edited by TripNRaVeR; 24th January 2013 at 12:09 AM.)
#121  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 12582
Posts: 2,379
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
I have gained access to some neat tools!

The tool is also able to boot into diag58, currently i'm running it userspace and can freely set everything i want. I tried entering diag58 but it was waiting on modem. Going to try to read the secure key, it has basicly acces to everything.



If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
The Following 69 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
MrT69
Old
#122  
MrT69's Avatar
Senior Member
Thanks Meter 328
Posts: 304
Join Date: May 2006
Location: Odelzhausen
Default Re: Goal: S-off HOX+ and maybe the HOX (TEGRA3)

Found this:

http://a500bootloaderflash.tk/sbkcalc/

May be lcd047 could help at this point also for the HOX.

Sent from my EndeavorU using xda app-developers app
The Following User Says Thank You to MrT69 For This Useful Post: [ Click to Expand ]
 
Thunder07
Old
#123  
Thunder07's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 1845
Posts: 1,301
Join Date: Sep 2007

 
DONATE TO ME
Quote:
Originally Posted by MrT69 View Post
Found this:

http://a500bootloaderflash.tk/sbkcalc/

May be lcd047 could help at this point also for the HOX.

Sent from my EndeavorU using xda app-developers app
unfortunately our sbk is very much different,
" It should be a 16 character long string containing only hexadecimal characters"
our only CPUID is one number long :/
i think ours is referred to as sbk v2 as well and it's yet to be cracked.


i know guys i'm shooting down everything you're coming up with..
but i have to before someone starts a discussion & fill the thread with it...
i've been there and tried ALOT of stuff

Device: HTC One X

My Work
[AIO]One X One Click | Thunder's Online Kernel Repacker | Zeus Kernel Lighter
OTA Creator V1.1 | ARHD 9.x (Base 2.17) & CD-Tool Battery Mods | Battery Mods Creator V1.1 |APK (Game) Modder v1.0 Beta


 

SkyDragonİ AIO Team Member



If I got a euro for each thanks I received... Well... Ill have ALOT of Euros
Click Thanks Or Hit That Donate Button.
The Following 4 Users Say Thank You to Thunder07 For This Useful Post: [ Click to Expand ]
 
TripNRaVeR
Old
#124  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 12582
Posts: 2,379
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
Set odm production mode from 0x00000001 to 0x00000000 and we have what we want. How?

Well that isnt as easy as expected..

Somewhere during boot there is a check if we are in production mode or not. If we are in production mode then all locks are set. If we arent in production mode all locks are off and we have s-off.

Then we remove the check and its done. We know that the flag can be set in the fuse directory. However it requires a kernel patch, the write protection can be turned of for that section.

Where to find it?
Look at nv-tegra git, there is bootloader source and try to find it (probably htc renamed it)

If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
The Following 32 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
blubbers
Old
#125  
Senior Member
Thanks Meter 257
Posts: 278
Join Date: Jan 2011
Quote:
Originally Posted by TripNRaVeR View Post
Set odm production mode from 0x00000001 to 0x00000000 and we have what we want. How?

Well that isnt as easy as expected..

Somewhere during boot there is a check if we are in production mode or not. If we are in production mode then all locks are set. If we arent in production mode all locks are off and we have s-off.

Then we remove the check and its done. We know that the flag can be set in the fuse directory. However it requires a kernel patch, the write protection can be turned of for that section.

Where to find it?
Look at nv-tegra git, there is bootloader source and try to find it (probably htc renamed it)
tried that back in may, but i couldn't get the fuses to be writeable, tried this instead;
Code:
Select Code
endeavoru-2.6.39-86aa44d/arch/arm/mach-tegra/tegra_odm_fuses.c

static bool fuse_odm_prod_mode(void)
{
        u32 odm_prod_mode = 0;

        clk_enable(clk_fuse);
        get_fuse(ODM_PROD_MODE, &odm_prod_mode);
        clk_disable(clk_fuse);
        return false;
        return (odm_prod_mode ? true : false);
}
The Following 3 Users Say Thank You to blubbers For This Useful Post: [ Click to Expand ]
 
TripNRaVeR
Old
(Last edited by TripNRaVeR; 24th January 2013 at 03:03 PM.)
#126  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 12582
Posts: 2,379
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
Quote:
Originally Posted by blubbers View Post
tried that back in may, but i couldn't get the fuses to be writeable, tried this instead;
Code:
Select Code
endeavoru-2.6.39-86aa44d/arch/arm/mach-tegra/tegra_odm_fuses.c

static bool fuse_odm_prod_mode(void)
{
        u32 odm_prod_mode = 0;

        clk_enable(clk_fuse);
        get_fuse(ODM_PROD_MODE, &odm_prod_mode);
        clk_disable(clk_fuse);
        return false;
        return (odm_prod_mode ? true : false);
}
You also need to have the vdd_fuse voltage line enabled to gain write acces, you can find the source in my kernel tree on github

Edit:
https://github.com/TripNRaVeR/tripnd...52d4ea27624646

Somehow this brings the device into APX mode when u have a ENG kernel, these bricks somehow could be usefull to gain s-off.

If we write the fuses correctly it is done.

If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
The Following 26 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
MrT69
Old
#127  
MrT69's Avatar
Senior Member
Thanks Meter 328
Posts: 304
Join Date: May 2006
Location: Odelzhausen
Also for the A500 Series - but Tegra chipset.
Some interesting informations and also the links within:

http://projects.pappkartong.se/a500/
The Following User Says Thank You to MrT69 For This Useful Post: [ Click to Expand ]
 
TripNRaVeR
Old
#128  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 12582
Posts: 2,379
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
And another thing that also belongs here, have full acces to my device right now during APX mode.

http://forum.xda-developers.com/show...postcount=4973

If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
The Following 50 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
TripNRaVeR
Old
#129  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 12582
Posts: 2,379
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
Got this key out of the 0.40 hboot


0x15d15b4fb63ee0b

If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
The Following 56 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
xmoo
Old
#130  
xmoo's Avatar
Retired Recognized Developer
Thanks Meter 1791
Posts: 5,304
Join Date: Aug 2006
Location: Eindhoven

 
DONATE TO ME
Default Re: Goal: S-off HOX+ and maybe the HOX (TEGRA3)

Quote:
Originally Posted by TripNRaVeR View Post
Got this key out of the 0.40 hboot


0x15d15b4fb63ee0b
I got 2 ENG and 2 MFG HBOOTs for you as .img to play with.

Sent from my HTC One X using xda app-developers app
Follow me on Twitter

The Following 18 Users Say Thank You to xmoo For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes